1 Reply Latest reply on Jan 26, 2005 7:41 PM by John Vandale

    can bypass security using context root

    John Vandale Newbie

      Successfully deployed my .ear which contains a .war. The context root for that web module is declared in the .ear's application.xml to be:

      <context-root>foo/top</context-root>

      The web.xml in the .war has a security constraint. One of the url's specified in a web-resource-collection in the sec constraint is:

      <url-pattern>/index.jsp</url-pattern>

      From my browser if I hit:

      http://localhost:8080/foo/top/index.jsp

      I get the forms based login challenge I have setup.

      If however I hit:

      http://localhost:8080/foo/top

      I access the page. Thus I can bypass the JBoss security by not explicitly specifying index.jsp but rather just specifying the context root.

      I'm using 4.0.1RC1

      John

        • 1. Re: can bypass security using context root
          John Vandale Newbie

          Note: This has nothing to do with browser caching. Before each test I stop/restart JBoss and the browser session. Whether I hit just the context root first or specify index.jsp first I see the described behavior.

          Note: I can get around this by specifying:

          <url-pattern>*.jsp</url-pattern>

          In the security constraint though I don't want to do that. This test, however, makes it seem like JBoss is accessing some internal .jsp prior to hitting index.jsp. Bizzare I know, grasping at straws here as to a reason for this behavior.

          That workaround aside it certainly seems like JBoss does not consider the context root and the context root with /index.jsp on the end to be the same in terms of the sec constraint.

          John